[webkit-changes] [WebKit/WebKit] d3e09c: Regression(267815.354 at safari-7617-branch) ASSERTIO...

[Chris Dumez]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d3e09ca8668bca5183f6dee9e88193fb826ae514
      https://github.com/WebKit/WebKit/commit/d3e09ca8668bca5183f6dee9e88193fb826ae514
  Author: Chris Dumez <cdumez at apple.com>
  Date:   2024-03-23 (Sat, 23 Mar 2024)

  Changed paths:
    M Source/WebCore/html/HTMLPlugInImageElement.cpp

  Log Message:
  -----------
  Regression(267815.354 at safari-7617-branch) ASSERTION FAILED: ownerElement.document().frame() in the tests
https://bugs.webkit.org/show_bug.cgi?id=268010
rdar://121528243

Reviewed by Ryosuke Niwa and Geoffrey Garen.

In 267815.354 at safari-7617-branch, we updated HTMLPlugInImageElement::requestObject()
to call SubframeLoader::requestObject() asynchronously. Previously, when we called
SubframeLoader::requestObject() the frame owner element's document would still be
connected (i.e. have a frame) and it was enforced by an assertion both in
HTMLPlugInImageElement::requestObject() and SubframeLoader::requestObject().

After my change in 267815.354 at safari-7617-branch, the assertion in
SubframeLoader::requestObject() would sometimes fail as this code now runs
asynchronously and the state of the DOM tree may have changed in between.

To address the issue, check if the document still have a frame when the async
lambda runs and return early if it doesn't. There is no point in loading a subframe
in a document that was detached.

* Source/WebCore/html/HTMLPlugInImageElement.cpp:
(WebCore::HTMLPlugInImageElement::requestObject):

Originally-landed-as: 272448.355 at safari-7618-branch (99b063d917a4). rdar://124554988
Canonical link: https://commits.webkit.org/276600@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications